Manage object lock

If Object Lock is configured in your bucket, you can manage object locking. The available locking actions depend on the lock type and lock mode.

Object lock can be managed by:

Account owner;
users with member, s3.admin and object_storage:admin roles;
users with s3.bucket.user, s3.user and object_storage_user roles if the access policy allows them the corresponding actions.

Temporary lock

Check for a temporary lock

If you have objects with segments, you cannot check for a lock on individual segments; you can only check the lock on the object itself. Segments inherit the lock settings applied to the object.

AWS CLI

Open the CLI.
If you want to check the lock for a specific object version:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Check for the lock:
```
aws s3api get-object-retention \
--bucket <bucket_name> \
--key <path_to_object> \
--version-id <version_id>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be checked for the current object version.

Enable Object Lock

If an object has both compliance and governance modes enabled, the compliance mode takes precedence.

To have the Object Lock applied to all new objects in a bucket by default, use the Enable Object Lock in a bucket by default section of the Object Lock instruction.

To upload an object with a lock, use AWS CLI; for more details, see the Upload object section of the AWS CLI instruction.

AWS CLI

Open the CLI.
If you want to lock an object version other than the current one:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Lock the object:
```
aws s3api put-object-retention \
--bucket <bucket_name> \
--key <path_to_object> \
--version-id <version_id> \
--retention '{"Mode":"<lock_mode>","RetainUntilDate":"<date>"}'
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be applied to the current object version;
- <lock_mode> — lock mode. Possible values are GOVERNANCE or COMPLIANCE;
- <date> — the date until which the object will be locked, in ISO 8601 format, for example, 2025-09-06T00:00:00Z. The lock duration cannot exceed 100 years or 36,500 days.

Change the Object Lock duration

If the lock mode is set to:

Governance — the lock duration can be shortened or extended;
Compliance — the lock duration can only be extended.

To change the lock duration, use the Enable Object Lock section, and in the RetainUntilDate field, specify the new value.

Change the Object Lock mode

You can only change the lock mode from Governance to Compliance.

To change the lock mode, use the Enable Object Lock section, and in the Mode field, specify COMPLIANCE.

Disable Object Lock

You can only disable Object Lock in Governance mode.

It can only be disabled by a user with the member role or a user with another role with S3 access, provided the access policy allows the action s3:BypassGovernanceRetention.

AWS CLI

Open the CLI.
If you want to disable the lock for a specific object version:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Disable the lock:
```
aws s3api put-object-retention \
    --bucket <bucket_name> \
    --key "<path_to_object>" \
    --version-id <version_id> \
    --retention '{}' \
    --bypass-governance-retention
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be disabled for the current object version.

Legal Hold

Check for Legal Hold

If you have objects with segments, you cannot check for a lock on individual segments; you can only check the lock on the object itself. Segments inherit the lock settings applied to the object.

AWS CLI

Open the CLI.
If you want to check the lock for a specific object version:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Check for the lock:
```
aws s3api get-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be checked for the current object version.

Enable Legal Hold

If an object has both compliance and governance modes enabled, the compliance mode takes precedence.

AWS CLI

Open the CLI.
If you want to lock an object version other than the current one:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Lock the object:
```
aws s3api put-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id> \
    --legal-hold '{"Status": "ON"}'
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be applied to the current object version.

Disable Legal Hold

AWS CLI

Open the CLI.
If you want to disable the lock for an object version other than the current one:

2.1. Obtain the object version ID:
```
aws s3api list-object-versions --bucket <bucket_name> --prefix <path_to_object>
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket.
2.2. For the required object version, copy the ID specified in the VersionId field.
Disable the lock:
```
aws s3api put-object-legal-hold \
    --bucket <bucket_name> \
    --key <path_to_object> \
    --version-id <version_id> \
    --legal-hold '{"Status": "OFF"}'
```
Specify:
- <bucket_name> — bucket name;
- <path_to_object> — path to the object in the bucket;
- optionally: --version-id <version_id> — a parameter that specifies a version of the object. Here, <version_id> — the version ID you copied in step 2.2. If you do not specify this parameter, the lock will be removed from the current object version.